For the past couple of weeks, security and the Internet of Things (IoT) have been in the news like never before. During the first few days after the massive distributed denial of service (DDoS) attack on domain name service Dyn, I almost couldn't look at a news outlet without seeing or hearing a discussion highlighting the security vulnerabilities of IoT.
As it turned out, this DDoS attack could have been prevented simply by requiring users to reset the default passwords on Internet-connected cameras during the setup process. This proves once again that most security breaches take advantage of well-known vulnerabilities that haven't been addressed, despite ample alerts.
And while the attack caused a great deal of inconvenience to users of Twitter, Netflix, Spotify, and the like, it did have its upside, shining a bright light on the need for a comprehensive approach to security in IoT deployments. Bottom line: IoT security is everybody's responsibility: Users, manufacturers, integrators, security vendors, technology vendors, IT teams, Operational Technology teams, employees-all of us have a role to play.
In an upcoming blog, I'll talk more about security as a key ingredient in my recipe for IoT success. But for now, I'll highlight some basic principles and best practices.
The first thing to realize is that there is no such thing as foolproof IoT security if you want to enjoy the benefits of connected systems. Even physical isolation doesn't work-as demonstrated by the Stuxnet virus, which made its way into industrial operations via a thumb drive. But you can make informed risk vs. cost decisions by applying a few principles:
Adopt a comprehensive before/during/after approach. Implement strategiesbeforean attack to prevent unauthorized access (from both external and internal players).Duringan attack, quickly identify the breach and shut it down. Then,afterthe attack, assess and minimize the damage-and adjust security practices based on lessons learned.
It is true that IoT security is in many ways unique: it is more distributed, more heterogeneous, and more dynamic than traditional IT security environments. It also introduces new scenarios that require brand new approaches to security (think connected cars, sensor swarms and consumer-class devices in the workplace).
For most organizations, the logical first step on their IoT security journey is to leverage 30+ years of experience and best practices that IT security systems give us. So let's not reinvent the wheel. Let's take a comprehensive, strategic, policy-based architectural approach by extending and enhancing current IT security architectures to cover IoT devices, infrastructure, solutions, and use-cases.
Yes, we are dealing with an active adversary. But it doesn't mean that security should be something we fear or demonize. The right answer is to develop an informed risk assessment and monitoring strategy, accompanied by an appropriate and proportional security response that accounts for the particular threat level and the amount of value at risk. And because securing your IoT deployment is not a one-time event, let's implement it as an ongoing process, like IoT journey itself.
Strategic innovation in the digital age is powered by people connected to the Internet of Things (IoT). Maciej Kranz has written a definitive guide on how to implement and capture the unprecedented value of IoT. The first of its kind,Building the Internet of Things,"gets past the hype to guide organizations across industries through the IoT journey. His book is available online at major retailers.